Practical Forward Secure Signatures using Minimal Security Assumptions

23.09.2013 | TU Darmstadt | Andreas Hülsing | 1

Practical Forward Secure Signatures using Minimal Security Assumptions

PhD DefenseAndreas Hülsing

Digital Signatures are Important!

Software updates

E-Commerce

… and many others


Forward Secure Signatures[And97]


Forward Secure Signatures

time

classicalpk

sk

Key gen.

forward secpk

sksk1 sk2 ski skT

t1 t2 ti tT

ijjSigGoal ),,(:


What if…


Post-Quantum Signatures

Lattice, MQ, Coding

Signature and/or key sizes

Runtimes

Secure parameters

no forward secure signatures

...1

3

14232232

34121211

yxxxxxxy

xxxxxxy


Hash-based Signature Schemes[Mer89]

Post quantum

Only secure hash function

Security well understood

Fast

Forward secure (inefficient)23.09.2013 | TU Darmstadt | Andreas Hülsing | 7

Cryptographic Hash Functions

H

{0,1}m

{0,1}n

}}1,0{|}1,0{}1,0{:{ 'nnmKn KH Η

•Cryptomania•AC O(2n/2)Collision Resistance

(CR)

•Minicrypt•AC O(2n)Second-preimage

Resistance (SPR)

•Minicrypt•AC O(2n)

One-wayness

•Minicrypt•AC O(2n)

Undetectability (UD)

•Minicrypt•AC O(2n)Pseudorandomness

(PRF)


Hash-based Signatures

OTS

OTS OTS OTS OTS OTS OTS OTS

HH H H H H H H

H H H H

H H

H

PK

SIG = (i=2, , , , , )


OTSSK

Challenges & Achievements

Minimal security assumptions XOR Efficient

Forward secure XOR Efficient

Large signatures

No full smartcard implementation


Efficient

Minimal security assumptions

„Small signatures"

Forward secure

Full smartcard implementation

Contribution

Chapter 3New Variants of the Winternitz One Time Signature Scheme• WOTS+ & WOTS$

Chapter 4XMSS • „A practical, forward secure

signature scheme based on minimal security assumptions“

Chapter 5XMSSMT

• „XMSS with Virtually Unlimited Signature Capacity”

Chapter 6 Choosing Optimal Parameters for XMSS∗

Chapter 7XMSS∗ in Practice• Implementation• Experimental results (CPU &

smartcard)


Chapter 3

New Variants of the Winternitz One Time Signature Scheme


OTS

Winternitz OTS (WOTS) [Mer89; EGM96]

| | = | | = m * | |

1. = f( )

2. Trade-off between runtime and signature size | | ~ m/log w * | |

SIG = (i, , , , , )


Function family:

Formerly:

WOTS+

For w ≥ 2 select R = (r1, …, rw-1)

WOTSFunction Chain

c0(x) = x

c1(x) = cw-1 (x)

}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F

'1 }1,0{,}1,0{ nwn K

ri

KF


)( 1rxFK

'1 }1,0{,)())(()( n

timesi

KKKi

Ki KxFFFxcFxc

))(()( 1i

iK

i rxcFxc ci-1 (x) ci (x)

Winternitz parameter w, security parameter n, message length m, function family

Key Generation: Compute l , sample K, sample R

WOTS+

[Hül13]

c0(skl ) = skl

c1(skl ) pkl = cw-1(skl )

}}1,0{|}1,0{}1,0{:{ 'nnnKn KF F

c0(sk1) = sk1

c1(sk1)

pk1 = cw-1(sk1)


WOTS+ Signature generation

M

b1 b2 b3 b4 … … … … … … … bl 1 bl 1+1 bl 1+2 … … bl

C

c0(skl ) = skl

pkl = cw-1(skl )

c0(sk1) = sk1pk1 = cw-1(sk1)

σ1=cb1(sk1)

σl =cbl (skl )


Main result

Theorem 3.9 (informally):W-OTS+ is strongly unforgeable under chosen message attacks if F

is a 2nd-preimage resistant, undetectable one-way function family


Security ProofReduction


Intuition

Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)

Observations:1.Checksum: 2. Verification cw-1-bα*

(σ*α) = pkα = cw-1-bα (σα)

“quasi-inversion”

bbthsl *..},..,1{

c0(skα) = skα

pkασα

pk*ασ*α

=

??????? !?


Intuition, cont‘d

Oracle Response: (σ, M); M →(b1,…,bl ) Forgery: (σ*, M*); M* →(b1*,…, bl*)

Given:“quasi-inversion” of c

c0(skα) = skα

pkασα

σ*α

β

second-preimage

rβ

KF

preimage


Result

Old [DSS05]

CR, UD, OW Fn

Cryptomania

|Sig| = l *2b

WOTS$[BDEHR11]

PRF Fn

Minicrypt

|Sig| = l *(b+w)

WOTS+[Hül13]

SPR, UD, OWFn

Conj. Minicrypt

|Sig| = l *(b+log w)


Chapter 4

XMSS


XMSS[BDH11]

Lamport-Diffie / WOTS WOTS+ / WOTS$

Tree construction [DOTV08]

Pseudorandom key generation

H biH

PRG

PRG

PRG

PRG

PRG

FSPRG FSPRG FSPRG FSPRG FSPRG


Result

SPR-MSS [DOTV08]

Minicrypt

FSS

|SK| = 2h+1bm + TTA

|SIG|~2bm + hb

GMSS (Single Tree)[BDK+07]

Cryptomania

Not FSS

|SK| = b + TTA

|SIG|~2b(m/log w) + h2b

XMSS[BDH11]

Minicrypt

FSS

|SK| = b + TTA

|SIG|~ b(m/log w) + hb


Chapter 7

XMSS* in Practice


XMSS ImplementationsC Implementation

C Implementation, using OpenSSL [BDH2011] Sign (ms)

Verify (ms)

Signature (bit) Public Key (bit)

Secret Key (byte)

Bit Security Comment

XMSS-SHA-2 35.60 1.98 16,672 13,600 3,364 157 h = 20,w = 64,

XMSS-AES-NI 0.52 0.07 19,616 7,328 1,684 84 h = 20,w = 4

XMSS-AES 1.06 0.11 19,616 7,328 1,684 84 h = 20,w = 4

RSA 2048 3.08 0.09 ≤ 2,048 ≤ 4,096 ≤ 512 87

Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz with Intel AES-NI


XMSS ImplementationsSmartcard Implementation

Sign (ms)

Verify (ms)

Keygen(ms)

Signature (byte)

Public Key (byte)

Secret Key (byte)

Bit Sec. Comment

XMSS 134 23 925,400 2,388 800 2,448 92 H = 16,w = 4

XMSS+ 106 25 5,600 3,476 544 3,760 94 H = 16,w = 4

RSA 2048

190 7 11,000 ≤ 256 ≤ 512 ≤ 512 87

Infineon SLE78 16Bit-CPU@33MHz, 8KB RAM, TRNG, sym. & asym. co-processor

NVM: Card 16.5 million write cycles/ sector, XMSS+ < 5 million write cycles (h=20)

[HBB12]


Conclusion


Conclusion


Efficient

Minimal security assumptions

„Small signatures"

Forward secure

Full smartcard implementation

Future Work


FSS in the wildStatefullness in Practice

Stateless SignaturesFew-time WOTS

Thank you!Questions?

Publications[1] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On

the security of the Winternitz one-time signature scheme. In A. Nitaj and D. Pointcheval (Eds), Africacrypt 2011, LNCS 6737, pp 363-378. Springer Berlin / Heidelberg, 2011.

[2] J. Buchmann, E. Dahmen, and A. Hülsing. XMSS - a practical forward secure signature scheme based on minimal security assumptions. In Bo-Yin Yang (Ed), Post-Quantum Cryptography, LNCS 7071, pp 117-129. Springer Berlin / Heidelberg, 2011.

[3] A. Hülsing, A. Petzoldt, M. Schneider, and S.M. El Yousfi Alaoui. Postquantum Signaturverfahren Heute. In Ulrich Waldmann (Ed), 22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012. Fraunhofer Verlag Stuttgart.

[4] A. Hülsing, C. Busold, and J. Buchmann. Forward secure signatures on smart cards. In Lars R. Knudsen and Huapeng Wu (Eds), Selected Areas in Cryptography, LNCS 7707, pp 66–80. Springer Berlin Heidelberg, 2013.

[5] J. Braun, A. Hülsing, A. Wiesmaier, M. A. G. Vigil, and J. Buchmann. How to avoid the breakdown of public key infrastructures - forward secure signatures for certificate authorities. In S. Capitani di Vimercati and C. Mitchell (Eds), EuroPKI 2012, LNCS 7868, pp 53-68. Springer Berlin Heidelberg, 2013.

[6] J. Buchmann, E. Dahmen, S. Ereth, A. Hülsing, and M. Rückert. On the security of the Winternitz one-time signature scheme. Journal of Applied Cryptography, 3(1):84–96, 2013.

[7] A. Hülsing. W-OTS+ — shorter signatures for hash-based signature schemes. In A.Youssef, A. Nitaj, and A.E. Hassanien (Eds), Africacrypt 2013, LNCS 7918, pp 173–188. Springer Berlin Heidelberg, 2013.

[8] M. M. Olembo, T. Kilian, S. Stockhardt, A. Hülsing, and M. Volkamer. Developing and testing a visual hash scheme. In N. Clarke, S.Furnell, and V.Katos (Eds), Proceedings of the European Information Security Multi-Conference (EISMC 2013). Plymouth University, April 2013.

[9] P. Weiden, A. Hülsing, D. Cabarcas, and J. Buchmann. Instantiating treeless signature schemes. Cryptology ePrint Archive, Report 2013/065, 2013. http://eprint.iacr.org/.

[10] A. Hülsing, J. Braun. Langzeitsichere Signaturen durch den Einsatz hashbasierter Signaturverfahren. In Tagungsband zum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013.

[11] J. Braun, M. Horsch, A. Hülsing. Effiziente Umsetzung des Kettenmodells unter Verwendung vorwärtssicherer Signaturverfahren. In Tagungsband zum 13. Deutschen IT-Sicherheitskongress 2013, Herausgeber: BSI, Secu-Media Verlag, Gau-Algesheim, 2013.

[12] A. Hülsing, L. Rausch, and J. Buchmann. Optimal parameters for XMSSMT. In A. Cuzzocrea, C. Kittl, D. E. Simos, E. Weippl, and L. Xu, (Eds), Security Engineering and Intelligence Informatics, LNCS 8128, pp 194–208. Springer Berlin Heidelberg, 2013.

[13] J. Buchmann, D. Cabarcas, F. Göpfert, A. Hülsing, and P. Weiden. Discrete ziggurat: A time-memory trade-off for sampling from a gaussian distribution over the integers. In Selected Areas in Cryptography 2013 (SAC’13), to appear.

[14] J. Braun, F. Kiefer, and A. Hülsing. Revocation & non-repudiation: When the first destroys the latter. In EuroPKI 2013, to appear.

Quantum Computing Progress

IBM 2012: “Scientists at IBM Research … have achieved major advances in quantum computing

device performance that may accelerate the realization of a practical, full-scale quantum computer.“


Chapter 5

XMSSMT


i

j

Tree Chaining [BGD+06,BDK+07]

Improved distributed signature generation [HBB12,HRB13]

)2()2(: / dhhKG OOt


Result

GMSS [BDK+07]

Cryptomania

Not FSS

tSIG = h/2=Σ hi/2

XMSSMT[HBB12,HRB13]

Minicrypt

FSS

tSIG = h0/2


Security Level aka. Bit Security

Exact Proof:

„ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04]

Solve for t:

Using = =

21

n

t2


Security Level aka. Bit Security(Quantum Case)

Exact Proof:

„ In general, a cryptographic system offers security level λ if a successful generic attack can be expected to require effort approximately 2λ−1. “ [Len04]

Solve for t:

Using = =

21

2/2n

t


n

t2

EU-CMA for OTS

PK, 1n

SIGN

SK

M

(σ, M)

(σ*, M*) Success if M* ≠ M and Verify(pk,σ*,M*) = Accept


Quantum-secure Signatures

PK, 1n

SIGN

SK

mm m

mm m m ,

q-times

11},{ q

mi im :)])(1,1[,(ifSuccess, jiqji

1),,Verify(pkand imiji mmm


BDS-Tree Traversal[BDS08]

Computes authentication paths

Store most expensive nodes

h

# 2h-1

# 2h-2

k

Left nodes are cheap Distribute costs

(h-k)/2 updates per round


Target-collision resistant HFF

One-way FF

XMSS

Pseudorandom FF

Second-preimage resistant HFF

Minimal Security Assumptions

Digital signature scheme

[Rom90]

Pseudorandom Generator

[GGM86]

[NaYu89][Rom90]

[HILL99]


From Fixed to Arbitrary Length Messages


„Hash and Sign“Collision-

Resistant HFF

Efficient Cryptomania

Target Collision-Resistant HFF

Inefficient Minicrypt

Minimal Security Assumptions - Why?


Theory: Nice

Practice:Weaker

Assumption Stronger Security

Smaller Signatures

Attack:Weaker

AssumptionHarder to

attackAttack less

likely“Early

Warning”

… BUT WAIT !


CR for Chosen Message AttacksRandom Message Attacks: only SPRActive Signing:

CMAStored Messages:

RMAIf CR broken: Change HFF

02.12.2011 | TU Darmstadt | A. Huelsing | 46

Hash function &PRF

Use plain AES for PRF

Use AES with Matyas-Meyer-Oseas in Merkle-Damgård mode for hash function

}}1,0{|}1,0{}1,0{:{ nnnKn KF F

Documents

Practical Forward Secure Signatures using Minimal Security Assumptions